Dns-operations mailing list

[Stefan Sabolowitsch <Stefan.Sabolowitsch AT felten-group.com>]

Jeff,

On this screenshot you can see well, how does dampening work (red line).

http://www.myimg.de/?img=Dampening809d2.png

Am 06.12.2012 um 05:34 schrieb Jeff Taylor <shdwdrgn AT sourpuss.net>:

Very nice find!  Did you happen to see any info about this being backported to older versions?  For most of us, our distro's stable version is still back in the 9.7 or even 9.4 series.  I'm honestly surprised it has taken this long to see a solution released for an issue that is obviously affecting a lot of network operations.

One case to consider - if you DO have a dedicated firewall, then the iptables solutions should still be used (at least for now).  Otherwise all that query data could flood your internal network before it gets squashed.

On 11/28/2012 08:42 AM, Stefan Sabolowitsch wrote:

Hi all,

We all fight against dDOS, DOS to our DNS Server

short small example:

2-Nov-2012 07:45:58.339 client 184.168.72.113#39943 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)
22-Nov-2012 07:45:58.453 client 93.170.127.96#46196 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)
22-Nov-2012 07:45:58.661 client 93.170.127.96#14231 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)
22-Nov-2012 07:46:00.065 client 184.168.72.113#12578 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)
22-Nov-2012 07:46:01.696 client 93.170.127.96#25345 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)
22-Nov-2012 07:46:01.786 client 184.168.72.113#25345 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)
22-Nov-2012 07:46:03.075 client 184.168.72.113#25345 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)
22-Nov-2012 07:46:03.509 client 184.168.72.113#25345 (isc.org): query: isc.org IN ANY +ED (192.168.200.12)

I found this nice patch from dns / dnssec Expert Lutz Donnerhacke here:

http://altlasten.lutz.donnerhacke.de/mitarb/lutz/bind-9.9.2-dampening.patch

An this small Information on this List.

http://permalink.gmane.org/gmane.network.dns.operations/1148

After this patch and with this Parameters in named.conf

       dampening {

                    exempt-clients { 216.87.84.214;128.177.28.254;207.192.71.13;66.244.95.11;202.83.95.229;84.200.228.200;178.63.116.152;75.127.96.89; };

                    report-interval 60 ;

                    score-per-query 1 ;

                    score-first-query 10 ;

                    min-table-size 500 ;

                    max-table-size 1000 ;

                    limit-maximum 32000 ;

                    # limit-enable-dampening min. 0.3 from limit-maximum

                    limit-enable-dampening 16000 ;

                    # limit-disable-dampening min. 0.1 from limit-maximum or limit-enable-dampening

                    limit-disable-dampening 5100 ;

                    limit-irrelevant 150 ;

                    score-qtype-any 100 ;

                    score-duplicates 100 ;

                    IPv4-prefix-length 24 ;

                    IPv6-prefix-length 48 ;

                   };

    

now i found in named.log this new information:

27-Nov-2012 15:56:08.181 client 93.170.127.96#592 (isc.org): query: isc.org IN ANY +ED (192.168.200.12) 15956

27-Nov-2012 15:56:08.181 93.170.127.0/24 dampening activated.

In the first Line at end, there is now the score value "15956"

In the second line you can see that this IP address /netblock in "Dampening" has come (limit-enable-dampening 16000).

After a week of testing, i can say it works very well.

I need no local firewall parameters or scripts to protect my test DNS server.

And here you can find all test, information about "DNS Dampening"

http://lutz.donnerhacke.de/eng/Blog/DNS-Dampening

http://lutz.donnerhacke.de/eng/Blog/First-results-from-DNS-Dampening

http://lutz.donnerhacke.de/eng/Blog/Two-weeks-of-DNS-Dampening

http://lutz.donnerhacke.de/eng/Blog/DNS-Dampening-under-the-microscope

http://lutz.donnerhacke.de/eng/Blog/DNS-Amplification-in-the-eyes-of-a-hosting-provider

Perhaps this information is also interesting for other  with DNS servers.

Regards

Stefan